b"September 2006\nReport No. 06-021\n\n\nFDIC\xe2\x80\x99s Emergency Response Plans\n\n\n\n\n        EVALUATION REPORT\n             eral\n\x0c                                                                                              Report No. 06-021\n                                                                                               September 2006\n\n                                       FDIC\xe2\x80\x99s Emergency Response Plans\n                                       Results of Evaluation\n\n                                       The FDIC\xe2\x80\x99s emergency response policy provides a framework from\n                                       which comprehensive ERPs have been established for HQ (including\nBackground and Purpose of\n                                       divisional ERPs for specific functional areas of concern) and the two\nEvaluation\n                                       regional offices we reviewed. In addition, the ERPs we reviewed\nThe Federal Emergency                  address most of the recommended emergency response elements\nManagement Agency (FEMA)               contained in federal agency criteria for emergency response planning.\nissued Federal Preparedness            However, FDIC senior management, particularly in HQ, could do more\nCircular 65, which provides            to \xe2\x80\x9cset the tone\xe2\x80\x9d regarding the importance of emergency response\nguidance for agencies in               through more public involvement in, and support for, emergency\ndeveloping contingency plans that      response plans. Further, additional guidance is needed on the following\ninclude emergency planning for         aspects of the FDIC\xe2\x80\x99s emergency response policy and the ERPs we\nthe safety and security of agency      reviewed:\npersonnel.\n                                          \xe2\x80\xa2   documenting management review and approval,\nThe FDIC\xe2\x80\x99s Emergency\nPreparedness Program provides             \xe2\x80\xa2   updating ERPs on a regular basis so they remain current,\nthe FDIC\xe2\x80\x99s emergency response             \xe2\x80\xa2   assigning and maintaining a current list of Floor\npolicy and requires that emergency            Marshals/Wardens,\nresponse plans (ERPs) be                  \xe2\x80\xa2   communicating emergency information,\nestablished in Washington Area            \xe2\x80\xa2   conducting evacuation and shelter-in-place drills,\nHeadquarters Offices (HQ) and in          \xe2\x80\xa2   developing shelter-in-place procedures,\neach of the regional offices. The\n                                          \xe2\x80\xa2   inventorying and maintaining emergency food and water\nERPs document the FDIC\xe2\x80\x99s\nprocedures and structure to ensure            supplies,\nthe safety and security of all FDIC       \xe2\x80\xa2   providing information on available first-aid and medical\npersonnel during an emergency.                response,\n                                          \xe2\x80\xa2   incorporating the child-care facility ERP into the HQ ERP, and\nThe FDIC\xe2\x80\x99s Division of                    \xe2\x80\xa2   developing additional procedures for employees with disabilities.\nAdministration (DOA) Security\nManagement Section conducts            This additional guidance would help the FDIC establish an emergency\nperiodic training and maintains a\n                                       response policy and ERPs that assure the safety and security of FDIC\nSecurity Web site to ensure that all\nstaff are aware of their\n                                       personnel across a wide range of potential emergencies.\nresponsibilities during an\nemergency.                             Recommendations and Management Response\n\nOur objective was to evaluate the      We made two recommendations to strengthen the emergency response\nextent of the FDIC\xe2\x80\x99s progress in       policy and the maintenance, communication, and content of the FDIC\xe2\x80\x99s\ndeveloping and implementing            ERPs. DOA concurred with both recommendations and has planned or\ncomprehensive ERPs. The scope          initiated actions that are responsive to both recommendations.\nof our evaluation included the\nFDIC\xe2\x80\x99s HQ facilities, Dallas\nRegional Office, and New York\nRegional Office.\n\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp\n\x0c                               TABLE OF CONTENTS\n\n\nBACKGROUND                                                    1\n\n     Emergency Response Plans                                 2\nFDIC\xe2\x80\x99S EMERGENCY RESPONSE POLICY AND PLANS                    3\n\n     Comparison of the FDIC\xe2\x80\x99s ERP Policy and ERPs to Other    3\n     Federal Agencies\xe2\x80\x99 Guidance\n\n     Senior Management Involvement and Support               5\n\n     Emergency Response Organization                          6\n\n     Emergency Response Plan                                 7\n\n     ERP Communication and Awareness                          9\n\n     Evacuation                                              11\n\n     Shelter-in-Place                                        12\n\n     First Aid                                               13\n\n     Child-Care Facilities                                   14\n\n     Disabled Persons                                        15\n\nRECOMMENDATIONS                                              16\n\nCORPORATION COMMENTS AND OIG EVALUATION                      17\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                18\nAPPENDIX II: CORPORATION COMMENTS                            21\nAPPENDIX III: MANAGEMENT RESPONSES TO                        26\n              RECOMMENDATIONS\n\nTABLE:\nComparison of FDIC\xe2\x80\x99s Policy and ERPs to Other Federal         4\nAgency Guidance\n\x0cACRONYMS\n\nBCP        Business Continuity Plan\nCOOP       Continuity of Operations\nCPR        Cardiopulmonary Resuscitation\nDOA        Division of Administration\nDOL        Department of Labor\nDRO        Dallas Regional Office\nERP        Emergency Response Plan\nFEMA       Federal Emergency Management Agency\nFPC        Federal Preparedness Circular\nGSA        General Services Administration\nHQ         Washington Area Headquarters Offices\nHspd       Homeland Security Presidential Directive\nNYRO       New York Regional Office\nODEP       Office of Disability Employment Policy\nOEP        Occupant Emergency Program\nOSHA       Occupational Safety and Health Administration\nSMS        Security Management Section\n\x0cFederal Deposit Insurance Corporation                                                                        Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                         Office of Inspector General\n\n\n\nDATE:                                     September 22, 2006\n\nMEMORANDUM TO:                            Arleas Upton Kea, Director\n                                          Division of Administration\n\n\n\n\nFROM:                                     Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Emergency Response Plans\n                                          (Report No. 06-021)\n\nThis report presents our evaluation of the FDIC\xe2\x80\x99s Emergency Response Plans (ERPs) for\nWashington Area Headquarters Offices (HQ), the Dallas Regional Office (DRO), and the New\nYork Regional Office (NYRO). Our objective was to evaluate the extent of the FDIC\xe2\x80\x99s progress\nin developing and implementing comprehensive ERPs. The ERP documents the FDIC\xe2\x80\x99s\nprocedures and structure to ensure the safety and security of personnel in the event of an\nemergency.\n\nOur original objective was to evaluate the extent of the FDIC\xe2\x80\x99s progress in developing and\nimplementing a comprehensive Emergency Operations Plan, which consists of the Business\nContinuity Plan (BCP) and ERPs. However, we limited the scope of this review to the ERPs,\nand we plan to address the BCP in a future evaluation. Our evaluation focused on internal\naspects of the HQ, NYRO, and DRO emergency response policy and plans (i.e., protection and\nsafety of FDIC employees and facilities) and not the external and interagency aspects.\nAdditional details on our objective, scope, and methodology are provided in Appendix I.\n\nBACKGROUND\n\nThe Federal Emergency Management Agency (FEMA) issued Federal Preparedness Circular 65\n(FPC 65), Federal Executive Branch Continuity of Operations (COOP), dated June 15, 2004, to\nprovide guidance to federal executive branch departments and agencies for use in developing\nemergency plans and programs for the continuity of operations. Each agency is responsible for\ndesigning, updating, and carrying out comprehensive plans that include emergency planning for\nthe safety and security of agency personnel.\n\nWith the issuance of FDIC Circular 1500.5, FDIC Emergency Preparedness Program, on\nDecember 28, 2004, the FDIC formally established a corporate-wide program to ensure the\nsafety and security of personnel and the continuity of business operations. Section 6.c. of the\ncircular specifically addresses ERP responsibilities and guidelines and supports emergency\npreparedness planning guidance as outlined in FPC 65. Circular 1500.5 requires the FDIC\xe2\x80\x99s HQ\nand regional offices to develop ERPs that document the procedures and structure for a\n\x0ccoordinated response to an emergency and focus on mitigating injuries and the loss of life of\nFDIC personnel, contractors, and visitors at FDIC locations.\n\nThe Division of Administration\xe2\x80\x99s (DOA) Assistant Director, Security Management Section\n(SMS), is responsible for the development and maintenance of emergency preparedness plans at\nHQ and all regional offices, to include developing an ERP and reviewing HQ and regional office\nERPs for final approval by the Chief Operating Officer, or his designee.\n\nThe Assistant Director indicated that SMS is active in a number of interagency and local\nemergency preparedness committees and forums including:\n\n\xe2\x80\xa2   the Washington Area Security Managers Association,\n\xe2\x80\xa2   the Interagency Security Committee,\n\xe2\x80\xa2   the Department of Homeland Security COOP Working Group,\n\xe2\x80\xa2   monthly meetings hosted by the Joint Federal Committee,1 and\n\xe2\x80\xa2   quarterly meetings of the Arlington County Office of Emergency Management.\n\nEmergency Response Plans\n\nThe HQ and regional office ERPs outline the responsibilities of all personnel during an\nemergency. ERPs contain information on emergency communication and notification systems\nand procedures for responding to different types of emergencies. SMS is responsible for\ndeveloping the HQ ERP; and the DOA Regional Manager in each regional office is responsible\nfor developing the regional office ERP. Several other FDIC divisions, including the Divisions of\nFinance, Supervision and Consumer Protection, Resolutions and Receiverships, and Information\nTechnology have also established plans for specific functional areas of concern.\n\nTo ensure that information is communicated in a timely manner during an emergency, the HQ\nERP includes procedures for \xe2\x80\x9cSituation Rooms,\xe2\x80\x9d which are located in each HQ building and\nregional office. If an emergency occurs, division/office directors report to the nearest Situation\nRoom and, through a teleconference bridge, tie into all other Situation Rooms. Directors are\nthen able to obtain up-to-the-minute information and gain insight into the actions they must take\nto protect FDIC personnel.\n\nAs of July 2006, all FDIC office space in HQ and the San Francisco Regional Office is owned by\nthe FDIC; all other regional office space is leased. Nevertheless, the FDIC is responsible for\nproviding ERPs for its employees in both owned and leased facilities. The ERPs are available to\nFDIC employees on the FDIC Web site for their review. Additionally, SMS and DOA Facilities\npersonnel conduct periodic training sessions for HQ and regional office personnel designed to\nensure that all staff understand their responsibilities during an emergency, and each location\nperiodically conducts emergency evacuation and shelter-in-place drills.2\n\n\n\n1\n  The committee, chaired by the Department of Homeland Security, meets to discuss emergency preparedness issues\nin the National Capital Region.\n2\n  Shelter-in-place means going to a designated small, interior room with no or few windows, and taking refuge there.\n\n\n\n\n                                                        2\n\x0cFDIC\xe2\x80\x99S EMERGENCY RESPONSE POLICY AND PLANS\n\nThe FDIC\xe2\x80\x99s ERP policy provides a framework from which comprehensive ERPs have been\nestablished for HQ (including divisional ERPs for specific functional areas of concern) and the\ntwo regional offices we reviewed. In addition, the ERPs we reviewed address most of the\nrecommended emergency response elements contained in federal agency criteria for emergency\nresponse planning. However, FDIC senior management, particularly in HQ, could do more to\n\xe2\x80\x9cset the tone\xe2\x80\x9d regarding the importance of emergency response through increased\ncommunication to employees. Further, additional guidance is needed for the following aspects\nof emergency preparedness in the FDIC\xe2\x80\x99s emergency response policy and the ERPs we\nreviewed.3\n\n    \xe2\x80\xa2   documenting management review and approval,\n    \xe2\x80\xa2   updating ERPs on a regular basis so they remain current,\n    \xe2\x80\xa2   assigning and maintaining a current list of Floor Marshals/Wardens,4\n    \xe2\x80\xa2   communicating emergency information,\n    \xe2\x80\xa2   conducting evacuation and shelter-in-place drills,\n    \xe2\x80\xa2   developing shelter-in-place procedures,\n    \xe2\x80\xa2   inventorying and maintaining emergency food and water supplies,\n    \xe2\x80\xa2   providing information on available first-aid and medical response,\n    \xe2\x80\xa2   incorporating the child-care facility ERP into the HQ ERP, and\n    \xe2\x80\xa2   developing additional procedures for employees with disabilities.\n\nThis additional guidance, as well as more public senior management involvement in, support for,\nand emphasis on the importance of emergency response planning, would be beneficial to the\nFDIC in remaining prepared to protect its employees in the event of a significant incident or\nemergency.\n\nComparison of the FDIC\xe2\x80\x99s ERP Policy and ERPs to Other Federal Agencies\xe2\x80\x99 Guidance\n\nWe compared the Corporation\xe2\x80\x99s ERP policy and the HQ, DRO, and NYRO ERPs to the\nfollowing federal agencies\xe2\x80\x99 guidance:\n\n    \xe2\x80\xa2   FEMA guidance in FPC 65,\n    \xe2\x80\xa2   U.S. General Services Administration\xe2\x80\x99s (GSA) Occupant Emergency Program Guide\n        (OEP), including child-care center guidance;\n    \xe2\x80\xa2   Occupational Safety and Health Administration (OSHA) regulations, particularly section\n        1910.38, Emergency Action Plans; and\n    \xe2\x80\xa2   U.S. Department of Labor (DOL), Office of Disability Employment Policy (ODEP)\n        publication, Effective Emergency Planning: Addressing the Needs of Employees with\n        Disabilities.\n\n\n3\n Not all of these enhancements were needed at each site.\n4\n Floor Marshals and Floor Wardens are employees who have volunteered to assist in emergencies. They oversee\nevacuation or shelter-in-place efforts for their respective floor.\n\n\n\n\n                                                     3\n\x0c  Based on our comparison, we concluded that the FDIC\xe2\x80\x99s emergency response policy and the HQ,\n  DRO, and NYRO ERPs include most of the elements contained in the federal agency guidance\n  that we used as evaluation criteria but could be revised to include additional procedures and best\n  practices.\n\n  The following table summarizes the most significant emergency response requirements\n  contained in federal agency guidance. The remaining report sections discuss items not included\n  in the ERP (indicated in the table as \xe2\x80\x9cNo\xe2\x80\x9d) or needing improvement (indicated in the table as\n  \xe2\x80\x9cYes-NI\xe2\x80\x9d).\n\n  Comparison of FDIC\xe2\x80\x99s Policy and ERPs to Other Federal Agency Guidance\n                                                                              IS ELEMENT ADDRESSED?\n                    CRITERIA                             SOURCE\n                                                                      ERP          HQ      NYRO   DRO\n                                                                     POLICY        ERP      ERP   ERP\n  Senior Management Involvement and Support\nThe Chief Executive should set the tone by                FEMA\nauthorizing planning to take place and directing         Guidancea\nsenior management to get involved.                                   Yes-NI        N/Ab    N/A        N/A\n         Emergency Response Organization\nAn emergency organization is established,\npreferably following existing lines of authority.          GSA         Yes         Yes     Yes        Yes\nThe ERP includes a sign-off sheet of the approving\nofficials.                                                GSA          No          No      No         No\nThe plan identifies responsibilities of key personnel.    OSHA         Yes         Yes     Yes        Yes\nEmergency organization members are designated by\nposition rather than person.                               GSA         Yes         Yes     Yes        Yes\nThe authority and responsibilities of guards under\ncontract are defined.                                      GSA         Yes         Yes     Yes        Yes\n             Emergency Response Plan\nThe ERP is updated on a regular schedule to ensure\nhuman capital information and resources remain\ncurrent and key emergency response personnel are          FPC 65       No          No      Yes        Yes\nfamiliar with their responsibilities.\nThe ERP includes procedures for how employees\nshould respond to different types of emergencies\nsuch as fire, chemical, explosion, weather, etc.          OSHA         Yes         Yes     Yes        Yes\nIn leased space, the responsibilities of the\nowner/lessor are stated.                                   GSA         No          N/A     Yes        Yes\n        ERP Communication and Awareness\nAn ERP should be kept where employees can refer\nto it at convenient times.                                OSHA        Yes-NI      Yes-NI   Yes        Yes\nOrganizations conduct employee forums to discuss\nemergency procedures and solicit employee\ncomments.                                                 FPC 65      Yes-NI      Yes-NI   Yes    Yes-NI\n                  Command Center\nA Command Center is established.                           GSA         Yes         Yes     Yes        Yes\nThe ERP includes circumstances and procedures for\nemergency organization members to report to the\nCommand Center.                                            GSA         Yes         Yes     Yes        Yes\n\n\n\n\n                                                           4\n\x0c                                                                       IS ELEMENT ADDRESSED?\n                   CRITERIA                           SOURCE\n                                                                ERP          HQ       NYRO     DRO\n                                                               POLICY        ERP       ERP     ERP\n     IN THE EVENT OF AN EMERGENCY\n                 Immediate Response\nProcedures for reporting a fire or other emergency.    GSA       Yes         Yes       Yes      Yes\nProcedures for reporting a bomb threat.                GSA       Yes         Yes       Yes      Yes\nProcedures for employees who remain in FDIC\nfacilities to operate critical plan operations.        OSHA      Yes         Yes       Yes      Yes\n                      Evacuation\nProcedures include evacuation under different types\nof emergencies and different evacuation routes.        OSHA     Yes-NI      Yes-NI     Yes      Yes\nProcedures to account for all employees after\nevacuation.                                            OSHA      Yes         Yes       Yes      Yes\n                   Shelter-in-Place\nPlans include conditions under which employees\nshould shelter-in-place.                               OSHA      Yes         Yes       Yes      Yes\nShelter-in-place sites are identified.                 DOL-      Yes         Yes       No       Yes\n                                                       ODEP\nProcedures to account for all employees during a\nshelter-in-place.                                     OSHA        Yes          Yes     Yes      Yes\nERP contains guidance on food and water supplies\nto maintain for extended shelter-in-place situations. FPC 65     No            No      No       No\n                       First Aid\nThe ERP includes procedures for handling serious       GSA\ninjury or illness.                                               No          Yes-NI    Yes     Yes-NI\nThe ERP explains how building occupants can            GSA       No          Yes-NI    Yes     Yes-NI\nobtain first aid.\n                 Child-Care Facilities\nThe ERP contains an appendix specifically devoted\nto the child-care center.                              GSA       No            No      N/A      N/A\n                   Disabled Persons\nThe ERP contains procedures for evacuation or\nsheltering of the handicapped.                         GSA        Yes          Yes    Yes-NI   Yes-NI\nThe ERP includes procedures for persons with           DOL-\nvarying disabilities (i.e., vision, mobility,         ODEP      Yes-NI       Yes-NI   Yes-NI   Yes-NI\ndevelopmental, hearing).\nPlans facilitate communication with all staff and\nvisitors, including those who are deaf or have         DOL-\ncommunication difficulties.                           ODEP        Yes          Yes     Yes      Yes\n  Source: Summary of OIG Analysis.\n  a\n    Emergency Management Guide for Business and Industry, FEMA 141, October 1993.\n  b\n    Not applicable.\n\n Senior Management Involvement and Support\n\n The Chief Executive should set the tone by authorizing planning to take place and directing\n senior management to get involved. FEMA\xe2\x80\x99s Emergency Management Guide for Business and\n Industry states that emergency management requires upper management support and states that\n \xe2\x80\x9cthe chief executive should set the tone by authorizing planning to take place and directing\n senior management to get involved.\xe2\x80\x9d Employees in an organization must be convinced that\n\n\n\n\n                                                       5\n\x0cemergency response is a high priority--and the persons generally best able to convince them are\nthe organization\xe2\x80\x99s senior managers, and in particular, the chief executive. Public support by the\nchief executive and other senior managers can help ensure the attention and cooperation of\nemployees. The FDIC HQ facilities and its regional offices are located in major metropolitan\nareas that could be susceptible to natural disasters or terrorist attacks. As a result, the\nCorporation must remain vigilant in its emergency response planning.\n\nAs discussed in our report, senior management has placed a greater emphasis on emergency\nresponse in the past several years and has made progress in establishing a comprehensive\nemergency response policy and plans. In addition, senior management took several steps to\nincrease awareness and preparedness, such as referencing or including initiatives related to the\nEmergency Preparedness Program in the FDIC Strategic Plan 2005-2010 and the 2005 and 2006\nAnnual Performance Plans, carrying out table-top exercises that simulate likely emergency\nscenarios and responses, and providing Quarterly Status Reports for the Emergency Preparedness\nProgram to the FDIC Board of Directors. Further, we saw evidence that division directors and\nfield managers had periodically discussed ERP with their respective staffs. However,\ncommunication from senior management to FDIC employees regarding the ERPs has been\ninfrequent. In addition, the Corporation has been slow in completing and communicating certain\nelements of ERPs at its new Virginia Square facility, progress could be better in completing and\nproviding on-line training to employees, and there is increased risk that employees are becoming\ncomplacent about attending ERP training and volunteering for key ERP positions.\n\nMore public senior management involvement in, support for, and emphasis on the importance of\nemergency response planning would be beneficial to the FDIC in maintaining momentum and\ninterest in the ERP so the Corporation will remain prepared to protect its employees in the event\nof a significant incident or emergency.\n\nEmergency Response Organization\n\nThe ERP should include a sign-off sheet of the approving officials. GSA\xe2\x80\x99s OEP guidance\nrecommends documentation of the ERP, along with the signature sheet of the approving official,\nindicating senior management acceptance of the plan.\n\nThe ERP is a component of the FDIC Emergency Preparedness Program and as such, should be\nreviewed by the Assistant Director, SMS, for final approval by the Chief Operating Officer or his\ndesignee. However, the ERP policy does not require documented approval of ERPs, and none of\nthe ERPs we reviewed included a sign-off sheet for the approving official\xe2\x80\x99s signature, indicating\nacceptance of the plan. As a result, the involvement of senior management in the development\nand approval of the ERPs we reviewed was unclear.\n\nThe HQ ERP, dated September 12, 2003, provides that the Director, DOA, acting on behalf of\nthe Chairman of the FDIC, is responsible for enacting the ERP. The NYRO ERP, dated\nDecember 1, 2005, provides that the DOA Regional Manager (or designee) authorizes the\nexecution of the ERP. The DRO ERP, dated January 2006, provides that the FDIC Chairman (or\ndesignee) authorizes the execution of the ERP. While management officials told us the HQ ERP\nwas vetted through DOA senior management and the Chief Operating Officer, we did not see\n\n\n\n\n                                               6\n\x0cevidence that the appropriate senior managers approved the ERPs that we reviewed. Revising\nthe FDIC\xe2\x80\x99s ERP policy to require the signature and date of the ERP approving official would\nemphasize the involvement of senior management and strengthen management control for\nreview and approval of the ERP.\n\nEmergency Response Plan\n\nThe ERP should be updated on a regular schedule to ensure that human capital information\nand resources remain current, and key emergency response personnel are familiar with their\nresponsibilities. FPC 65 states that agency managers should (1) review regularly and update\nhuman capital information and resources to assure that the agency's policies remain current and\nrelevant to changing environments or evolving threats and (2) develop, review, and update\nemergency guidelines as needed.\n\nThe FDIC\xe2\x80\x99s ERP policy does not provide a standard timeframe for updating ERPs. Emergency\ncontact information in the DRO and NYRO is routinely updated every 6 months; however, the\nHQ ERP has not been updated since September 2003. As a result, much of the information in\nthe HQ ERP is not current in relation to the names and telephone numbers of emergency contact\nofficials, floor marshals, and locations of rooms for sheltering-in-place. The ERP may also not\nreflect current guidance and best practices identified since it was last updated.\n\n         Floor Marshal/Warden Programs. Procedures for Floor Marshal/Warden programs\nneed improvement to ensure that an adequate number of Floor Marshals/Wardens are maintained\nand that they attend training to ensure they are familiar with responsibilities and emergency\nprocedures. The FDIC\xe2\x80\x99s ERP policy provides that ERPs should address the roles and\nresponsibilities of Floor Marshals. As implemented at the FDIC, the Floor Marshals/Wardens\nare FDIC employees who have volunteered to facilitate an evacuation or shelter-in-place during\nan emergency and are key members of the Emergency Response Team. They are responsible for\nensuring everyone on their floor is prepared for emergency situations and distributing emergency\nsupplies and water as needed. The Floor Marshals/Wardens are also responsible for ensuring\ntheir floors are evacuated, when necessary, obtaining a head count of evacuated employees from\nsupervisors, and reporting the results to SMS.\n\n        HQ Floor Marshal Program. As of April 2006, the Floor Marshal Assignment listing in\nHQ had not been verified since the ERP was last updated in September 2003. As a result, the\nFDIC does not have consistent coverage of the HQ facilities because many employees have\neither been relocated or have left the FDIC since their initial assignment. We compared the\nFloor Marshal assignment listing on the FDIC\xe2\x80\x99s Emergency Web site on April 1, 2006 with the\nFDIC\xe2\x80\x99s employee directory and determined that only 53 of the 86 Floor Marshals were working\non their assigned floor. Further, we found that 12 of 86 employees assigned as Floor Marshals\nno longer worked at the FDIC.\n\nWe also randomly selected 17 (20 percent) Floor Marshals to obtain information regarding their\ntraining, supplies, and knowledge of FDIC Emergency Web site information. SMS provided\nemergency supplies, including an emergency food and water kit, to all Floor Marshals.\nHowever, of the 17 Floor Marshals we interviewed, only 11 reported having the emergency food\nand water kit. Also, nine Floor Marshals reported that they had not attended any emergency\n\n\n\n                                              7\n\x0ctraining or briefing in over 2 years. SMS has provided two emergency training briefings in HQ\nsince January 2004; however, attendance by Floor Marshals is not required, and SMS has not\ndocumented who attended those sessions. One of the seventeen Floor Marshals we interviewed\nhad retired from the FDIC in April 2000 and returned as a contractor in 2004 and did not know\nhe was still listed as a Floor Marshal. One other person responded that she had never accepted\nthe responsibility and did not consider herself to be a Floor Marshal.\n\nSMS staff told us that they rely on the Floor Marshals to contact them when they relocate but\nthat this procedure is not included in the ERP. SMS was planning to update the Floor Marshal\nassignment listing after the relocation of the FDIC\xe2\x80\x99s Washington employees to Virginia Square,\nArlington, Virginia, in the first quarter of 2006. SMS also expressed concern that employees\nhave not been volunteering to be Floor Marshals and is exploring other means of providing Floor\nMarshal coverage of the facilities, such as mandatory Floor Marshal assignments. However,\nDOA had not advised FDIC employees of the need for Floor Marshal volunteers.\n\n        DRO Floor Warden Program. We found that the DRO ERP Floor Warden program was\nsubstantially current, provided specific Floor Warden duties, and included training requirements.\nHowever, we found that assigned Floor Wardens have not consistently attended ERP training as\nprescribed or read the ERP as required. Although the ERP provides procedures for security\npersonnel to review the Floor Warden list on a quarterly basis, this process would be more\neffective if it also required the Floor Wardens to notify security personnel when they relocate to\na new floor or leave the DRO.\n\nWe compared the ERP Floor Warden listing on the DRO Web site to the office locations of each\nFloor Warden listed in the FDIC employee directory. Of the 58 wardens assigned, 51 were\ncorrectly listed as Wardens on the floor for which they were currently assigned. Seven of the\nindividuals were no longer on their assigned floor, and two of the seven wardens no longer\nworked at the DRO. The FDIC DRO Facilities Manager stated that DRO was in the process of\nverifying the Floor Warden listings floor by floor. DRO was contacting everyone on the list to\ndetermine whether the individuals still wanted to be a Floor Warden and was asking for\nvolunteers on the floors where additional Floor Wardens were needed. Due to the recent\ndownsizing in the DRO and numerous relocations of staff between floors, DRO was conducting\nthis process once the moves had been completed.\n\nThe DRO ERP includes the responsibilities of the Floor Wardens in the event of an emergency\nand provides that Floor Wardens will attend training on a biannual basis. We surveyed a sample\nof 12 of the 58 wardens and found that only 6 of the 12 had read the ERP and only 1 had\nattended a briefing or other ERP training in the past year. Notwithstanding, 11 of the 12\nemployees we contacted were able to describe their Floor Warden responsibilities. The\nremaining employee was not aware that he had been assigned as a Floor Warden and indicated\nthat he was not prepared to assume this responsibility. Additionally, 7 of the 12 employees\nsuggested that more frequent briefings or meetings among the DRO Floor Wardens would be\nbeneficial.\n\n       NYRO Floor Warden Program. The NYRO ERP does not include procedures for\nmaintaining the Floor Warden Program. Management of Floor Wardens is the responsibility of\nthe Facilities Manager who also coordinates employee relocation for the NYRO. We found the\n\n\n\n                                               8\n\x0cFloor Warden assignment listing in the NYRO ERP to be current, those assigned as Floor\nWardens to understand their responsibilities, and supplies to be consistently maintained. In\naccordance with the New York City Fire Code, Floor Wardens are required to sign a log in the\nmain lobby of the building each day to indicate whether they are present in the event of an\nemergency. Further, the NYRO ERP specifically lists the duties of Floor Wardens both before\nand during an emergency.\n\nThe NYRO Floor Warden program includes 28 employees designated as Wardens, Deputy\nWardens, Searchers, or Buddies.5 We verified that each of those assigned to one of these\npositions currently worked on the floor to which they were assigned. We interviewed a random\nsample of 10 (35 percent) of these individuals to determine the timing of the most recent ERP\nbriefing or training they had attended, the status of supplies they maintained, and their\nunderstanding of their duties. None had attended an FDIC-sponsored ERP briefing or training\nsession in the past year; however, 7 of the 10 employees reported that they had attended a\nbriefing by the New York City Fire Department. All 10 employees reported that they had the\nemergency supply kit provided by the FDIC, and all were able to describe their respective\nemergency response duties. All those we spoke to gave the NYRO ERP a good rating and\nindicated that all employees were cooperative. Five of the ten employees we spoke with\nrecommended more briefings or meetings scheduled by the FDIC.\n\nERP Communication and Awareness\n\nAn ERP should be kept where employees can refer to it at convenient times. Federal agency\nguidance and FDIC Circular 1500.5 suggest that emergency information is critical to the safety\nof employees in an emergency. FEMA FPC 65 states that agency managers are responsible for\nensuring that employees have a clear understanding of what they are to do in an emergency.\n\nAccess to the ERPs differed between HQ and the two regional offices in our evaluation. While\nDRO and NYRO provide the complete ERP on their respective Web sites, HQ provides only a\nsummary of the ERP. Furthermore, although DIT has installed a Security Hot Link icon on\nFDIC employees\xe2\x80\x99 computers, many Floor Marshals we interviewed were not aware this Hotlink\nexists, and employees have not been periodically reminded that the link is available.\n\nIn FDIC HQ, only a summary of the ERP is available for FDIC employees on the FDIC Web\nsite. According to SMS personnel, the complete ERP is not maintained on the Web site because\nit includes the home telephone numbers of Emergency Response Team members and other\ndetailed procedures that were determined by SMS to be unnecessary for employees in an\nemergency. The summary information provides evacuation procedures that employees should\nfollow for specific building emergencies, procedures for partial evacuation with zoned alarms,\nlocations of shelter-in-place areas and assembly areas, Floor Marshal listings, and other building-\nspecific, critical information. SMS personnel determined that this information is critical for\nemployees to have in an emergency. However, we identified other important information in the\ncomplete ERP that is not provided on the Emergency Web site. For example, ERP procedures\nfor assisting individuals with disabilities and procedures for specific emergencies such as gas\n\n5\n Deputy Wardens, Searchers, and Buddies assist the Warden with duties such as searching the premises and\nassisting disabled persons.\n\n\n\n\n                                                      9\n\x0cline ruptures; violent behavior; chemical, biological, or radiological incidents; and tornados and\nother severe weather are not included on the Web site.\n\nIn 2003, the Division of Information Technology installed a \xe2\x80\x9cSecurity Hot Link\xe2\x80\x9d icon on the\nFDIC\xe2\x80\x99s HQ computers that provides immediate access to the FDIC Emergency Web site. The\nEmergency Web site provides information and additional Web sites for employees in the\nWashington area to obtain emergency information. The Web site includes a summary of the\nERP, Emergency Preparedness Status Reports, a link to the Washington, D.C., Emergency\nInformation Center, emergency telephone numbers, Washington Area Transit System alerts,\nemergency pack information, and other information related to FDIC security. The Web site can\nbe a valuable tool for employees in the event of an emergency and to provide routine emergency\nawareness. However, we found that only 8 of 17 Floor Marshals were aware that the Security\nHot Link existed.\n\nSMS did not maintain information on how or when the existence of the Security Hot Link had\nbeen communicated to FDIC employees. However, we confirmed that there has been no\ncommunication to FDIC employees, since at least 2004, that the Hot link exists or that other\nemergency information is available. Additionally, the Security Hot Link on the NYRO\ncomputers links to information concerning HQ which could be confusing to employees not\nlocated in the Washington area in the event of an emergency. Computers at NYRO and DRO do\nnot have a Security Hot Link to facilitate quick access to regional emergency information.\n\nOrganizations should conduct employee forums to discuss emergency procedures and solicit\nemployee comments. FPC 65 states that employees should be encouraged to familiarize\nthemselves with the emergency procedures in place at their agency, as well as the means of\nnotification that an agency will use to inform and instruct employees. According to FPC 65,\nproviding emergency information to employees on a recurring basis is an important element of\nemergency preparedness. Activities to support communications with employees may include:\n\n    \xe2\x80\xa2   convening town hall meetings;\n    \xe2\x80\xa2   communicating plans and changes, including recurring distribution of emergency\n        guides; and\n    \xe2\x80\xa2   working with unions to support and strengthen communication activities.\n\nFurther, FDIC Circular 1500.5 states that employees are responsible for attending FDIC-\nsponsored training events and understanding their responsibilities during an emergency.\n\nDOA provides periodic ERP briefings for FDIC employees. During 2005, DOA announced and\nconducted briefings in May and November. However, according to SMS personnel, attendance\nat these briefings was poor. Facilities personnel in DRO provided emergency information\nbriefings in February 2005 and April 2006; however, only Floor Wardens were notified of the\nbriefing in 2005. In the NYRO, the building manager provides two training sessions each year in\naccordance with the New York City Fire Code. NYRO facilities personnel told us that\nattendance is excellent during these sessions. We discussed employees\xe2\x80\x99 attendance with SMS\npersonnel who expressed their concern over the lack of employee interest in emergency\npreparedness, particularly at HQ. SMS personnel stated that to facilitate FDIC employee ERP\n\n\n\n\n                                                10\n\x0cawareness, they are working on a computer-based training module that will be mandatory for all\nFDIC employees to complete annually. SMS plans to implement the training module in\nNovember 2006.\n\nEvacuation\n\nProcedures should address evacuation under different types of emergencies and different\nevacuation routes. GSA's Occupant Emergency Program Guide provides that ERPs should\ninclude adequate drills and training to ensure a workable emergency plan. Further, OSHA\nrecommends that drills be conducted annually. We determined that the FDIC's ERP policy does\nnot specify the number or type of evacuation drills to be conducted at FDIC facilities. As a\nresult, there were inconsistencies among the HQ, NYRO, and DRO drills we reviewed, and we\nconcluded that improvements were needed.\n\n         HQ Drills. The HQ ERP provides that evacuation drills will be conducted twice a year.\nHowever, of the six FDIC facilities in Washington, D.C., and Arlington, Virginia, two drills\nwere conducted for only the 1776 F Street building in Washington, D.C. The other FDIC\nfacilities in Washington had one drill during 2005, and none were conducted at the Virginia\nSquare, Arlington, Virginia, facility. SMS personnel told us that the move to Virginia Square,\nbeginning in November 2005, eliminated the need for conducting a second drill in 2005 at all the\nFDIC buildings except the F Street Building and the Main FDIC building also in Washington,\nD.C. Further, the regular fire drills were not conducted at Virginia Square during 2005 because\nthe building was evacuated numerous times associated with the construction of Virginia Square\nPhase II.\n\nAccording to the District of Columbia Office of the Fire Marshal, the D.C. Fire Code does not\nrequire that the FDIC conduct a specific number of evacuation drills. Further, we did not\nidentify any federal requirement applicable to the FDIC for the number of evacuation drills to be\nconducted. According to the Director, Arlington County Virginia Emergency Operations, the\nArlington County Fire Code requires two drills annually for all high-rise buildings, such as those\nat the FDIC\xe2\x80\x99s Virginia Square facility.\n\nThe HQ ERP does not include evacuation drill review procedures. However, SMS supervises\nthe HQ evacuation drills, records the date and time of the drill, and gives the drill an overall\nrating. SMS rated all drills conducted in 2005 as good to excellent, except for one evacuation\ndrill conducted during March 2005 that SMS rated as poor. SMS attributed the poor rating to the\ntime it took for employees to evacuate and a lack of cooperation by the employees. The rating\nform did not include any details on the evacuation or plans for taking corrective action.\n\n         NYRO Drills. Although the NYRO ERP does not include a provision requiring a certain\nnumber of evacuation drills, NYRO conducts three such drills each year. In addition, to comply\nwith the New York City Fire Code, the building manager hires a contractor to conduct\nevacuation drills in January and July each year. To document the drills conducted by the NYRO,\nfacilities personnel complete a checklist during the evacuation to document the amount of time to\nevacuate each floor. Once the drill is completed, FDIC facilities personnel then send out an\ne-mail to all staff, discussing the drill and reminding employees to check that their emergency\n\n\n\n\n                                               11\n\x0csupplies are complete, batteries are charged, and contact lists are current. We found the drills\nconducted at the NYRO to be fully documented by facilities personnel.\n\n        DRO Drills. The DRO ERP requires the building manager to conduct evacuation drills\nannually but does not address the number of, or process for evaluating, evacuation or shelter-in-\nplace drills. The Dallas Fire Department permits high-rise office buildings to conduct partial\nbuilding evacuation fire drills, and the property manager for Pacific Place (a DRO location)\nconducts partial building evacuation exercises quarterly such that each floor of the building has\nhad an evacuation drill at least once each year. During each drill, personnel from Building\nSecurity, Building Management, FDIC Security, and DOA coordinate in reviewing the success\nof the drill. This includes recording observations on a fire drill checklist form for each floor.\nFor example, the form includes line items as to whether all doors were shut and whether the\nevacuation was performed in an orderly manner. Space is available for additional comments.\nBased on our review of these checklists, we determined that one evacuation drill per floor was\nconducted throughout 2005 at the DRO in compliance with the Dallas Fire Code.\n\nShelter-in-Place\n\nERPs should identify shelter-in-place sites and provide guidance on what food and water\nsupplies to maintain on site for extended shelter-in-place situations. Federal agency guidance,\nincluding OSHA Standards and DOL ODEP guidance, suggests that communicating the\nprocedures for sheltering-in-place to all building occupants prior to an actual emergency is\nimportant. In addition, the FDIC\xe2\x80\x99s ERP policy provides that HQ and regional offices will\ndevelop ERPs that address shelter-in-place procedures for various incidents.\n\nThe NYRO has taken steps to implement shelter-in-place provisions; however, the NYRO ERP\ndoes not include specific procedures for shelter-in-place as do the Headquarters and DRO ERPs.\nAlso, although each of the facilities we reviewed store emergency food and water for shelter-in-\nplace, only the DRO ERP provides information on the locations where food and water are stored\nand procedures for their maintenance and distribution. As a result, some FDIC employees do not\nhave all the information available to plan for emergencies and to effectively utilize emergency\nsupplies.\n\n       HQ Shelter-in-Place. The HQ\xe2\x80\x99s ERP provides detailed shelter-in-place instructions,\nincluding the locations of refuge rooms and procedures for a shelter-in-place drill. Also, in each\nHQ building, food and water supplies are maintained in a central location in a locked cabinet.\nHowever, the location of these supplies is known only to SMS personnel and security guards.\nThe location of food and water is not discussed on the Emergency Web site or in the ERP. SMS\npersonnel told us that supplies would be distributed as deemed necessary in the event of a\nprolonged shelter-in-place situation. They further stated that they base the amount of the food\nand water to maintain on criteria from the American Red Cross, which recommends a 3-day\nsupply. SMS personnel also stated that Security Personnel periodically inventory the emergency\nfood and water supplies. However, there is no procedure in the ERP for these supplies to be\ninventoried to ensure that adequate supplies are maintained and their shelf life has not expired.\n\n\n\n\n                                                12\n\x0c       NYRO Shelter-in-Place. The NYRO ERP does not provide specific shelter-in-place\nprocedures identifying refuge rooms or procedures for maintaining food and water supplies.\nHowever, rooms for refuge have been identified, emergency packs have been distributed to all\nemployees, and emergency food and water are maintained in a locked room along with other\nemergency supplies such as blankets and flashlights. Facilities personnel maintain the\nemergency food and water supplies based on instructions received from HQ SMS personnel in\nMarch 2003 advising them to maintain a 1-1/2 day supply for 70 percent of the building\npopulation.\n\n        DRO Shelter-in-Place. The DRO ERP provides shelter-in-place instructions, including\nthe locations of refuge rooms and the locations of food and water supplies. Emergency food and\nwater supplies are maintained on each floor of the DRO facility in unlocked cabinets identified\nwith \xe2\x80\x9cEmergency Supplies\xe2\x80\x9d signs and are located in the restroom corridors on each floor of\nbuilding. Additional food and water supplies are located in the Fitness Center on the 1st Floor\nand in the Emergency Operations Center located on the 10th and 11th Floors. The DRO ERP\nprovides that these supplies will be distributed by Floor Wardens and security personnel as\nneeded. These supplies are available to all employees. DRO follows the American Red Cross\nguidance for a 3-day supply. In addition to the food and water supplies, these cabinets contain\nflashlights with rechargeable batteries. Although not required by the DRO ERP, DRO facilities\npersonnel provided us documentation of an inventory of emergency supplies that is conducted\nmonthly by building security personnel.\n\nFirst Aid\n\nERPs should include procedures for handling serious injury or illness and explain how\nbuilding occupants can obtain first aid. The GSA Occupant Emergency Program Guide and\nOSHA Emergency Action Plans and Procedures recommend that procedures be established for\nhandling serious injury or illness. Further, the GSA OEP recommends employees be told in\nadvance how to get first aid, including available medical resources and their location.\n\nThe ERP policy does not specifically address how first aid and medical care will be provided to\nemployees in the event of an emergency. Of the three ERPs we reviewed, only the NYRO ERP\ncontains information concerning the availability of first aid during an emergency. Additionally,\nwe found that security guards in all three locations are trained in first aid, cardiopulmonary\nresuscitation (CPR), and use of defibulators, but this information is not included in the three\nERPs.\n\nThe NYRO ERP discusses general first-aid procedures, emergency medical contact numbers,\nbuilding management coordination for ambulance arrival, security guard assistance, and\nobtaining CPR. The HQ and DRO ERPs rely on emergency first responders (i.e., fire fighters,\npolice officers, etc.) to provide first aid. However, emergency first responders may be delayed in\nan emergency due to traffic congestion or multiple affected sites. Contract security guards in HQ\nand DRO are also trained in first aid and CPR, but they are not addressed in the ERPs as a\nresource. Possible use of the contract nurses and dispensaries is also not addressed.\nAdditionally, the FDIC has cancelled the first aid and CPR training program for FDIC\nemployees.\n\n\n\n\n                                               13\n\x0cSMS personnel advised us that although such information is not in the ERP, HQ employees have\nbeen notified by e-mail, on the Security Web site, and in information packets provided during\noffice relocations to call * 911 in the event of a medical emergency. DRO gives pamphlets that\ncontain emergency telephone numbers to visitors. The pamphlets are also available in break\nrooms throughout the building.\n\nAlthough these methods of communicating first aid information are beneficial, inclusion of all\navailable medical resources in the ERPs would provide employees with one consistent source for\nemergency-related information. Also, ERPs should address scenarios for providing first aid as\nsoon as possible in an emergency situation. Immediate medical resources should include\nsecurity guards, nurses, dispensaries, CPR-certified FDIC employees, and medical supply kits\nthat will be immediately available before the arrival of external first responders.\n\nChild-Care Facilities\n\nThe ERP should contain an appendix specifically devoted to the child-care center. GSA\xe2\x80\x99s\nOccupant Emergency Plan guidance on child care recommends that the ERP for any child-care\ncenter be prominently mentioned in the ERP.\n\nThe FDIC\xe2\x80\x99s ERP policy does not address whether the child-care center, located on FDIC\npremises, should be included in the ERP. Therefore, the HQ ERP does not include procedures\nfor the child-care center located on FDIC premises in Washington, D.C. (the DRO and NYRO do\nnot have child-care facilities). This situation has been complicated because the FDIC has not\nreceived a finalized Emergency Plan from the child-care center\xe2\x80\x99s Board of Directors. As of\nJuly 2006, the child-care center\xe2\x80\x99s Emergency Plan was still in draft \xe2\x80\x93 over 1 year after it was\ninitiated in November 2004. Additionally, although SMS personnel are involved in fire drills\nconducted for the facility, the FDIC\xe2\x80\x99s participation in the fire drill is not documented.\n\nThe FDIC building at 1776 F Street in Washington, D.C., has a child-care center on the first\nfloor of the building off the main lobby. This center cares for approximately 80 children ranging\nfrom 6 weeks to 6 years of age. The facility is governed by a private Board of Directors and is\noperated by a contractor hired by the Board of Directors. According to the center\xe2\x80\x99s Director, the\ncenter is licensed and inspected by the District of Columbia and, therefore, is required to follow\nthe regulations for child-care centers in Washington, D.C.\n\nSMS personnel stated that the child-care center is separate from the FDIC and, therefore, SMS is\nnot involved in the child-care center\xe2\x80\x99s Emergency Plan. SMS personnel stated that the goal of\nthe child-care center Emergency Plan is to get the children and teachers out of the facility, but\nonce they step into the lobby of the Headquarters building, they are covered within the scope of\nthe FDIC ERP. At that point, the FDIC will determine where the children and center staff should\nevacuate to. However, the HQ ERP does not discuss the child-care center.\n\nWe obtained a copy of the child-care center\xe2\x80\x99s draft Emergency Plan, which contains procedures\nto be followed in the event of an emergency. The center Director stated that the plan is still in\ndraft because it has not been approved by the child-care center Board of Directors. A member of\nthe Board of Directors expressed that the plan has not been approved because the Board feels\n\n\n\n\n                                               14\n\x0cthat it is not sufficiently comprehensive. For example, the plan does not identify procedures in\nthe event of a prolonged shelter-in-place. However, the plan does identify evacuation procedures\nand the locations for children and staff to be evacuated in the event of an emergency.\n\nThe GSA Occupant Emergency Plan guidance on child care recommends that the ERP for any\nchild-care center be prominently mentioned in the ERP. According to GSA, this is important to\nensure coordination between agency and child-care center personnel. We compared the GSA\nOccupant Emergency Plan guidance on child care to the FDIC child-care center\xe2\x80\x99s Emergency\nPlan. We found that the Emergency Plan provides basic procedures to be followed in an\nemergency; however, the plan is lacking specific details related to the center\xe2\x80\x99s location in the\nFDIC building. For example, the plan does not discuss the location of the child-care center in\nthe F Street building nor provide a description of evacuation routes.\n\nBased on our review of drill dates documented by the child-care center and interviews with SMS\npersonnel and the Director of the child-care center, we concluded that regular monthly\nevacuation drills were conducted for the child-care center and that SMS personnel were involved\nin those drills. However, SMS did not document its participation in these drills except for a log\nmaintained by the contractor showing the dates that drills were conducted and the time it took to\nevacuate the facility. The contractor log did not indicate whether the drill was fully successful;\nwhether significant problems were encountered, such as whether children were left behind; or if\nplans were needed for corrective action.\n\nWe discussed our results with SMS and child-care center personnel. We were told that the child-\ncare center Emergency Plan has not been finalized because of turnover in the child-care center\xe2\x80\x99s\nDirector position four times in the last 2 years and delays due to plan review by the child-care\ncenter\xe2\x80\x99s Board of Directors. SMS personnel and child-care center personnel also stated that\nalthough the Emergency Plan has not been finalized, they have ensured through monthly drills\nthat all child-care center staff and children are proficient in evacuating the premises and that\nparents are aware of the evacuation procedures. SMS personnel added that they are planning for\nadditional procedures for the FDIC\xe2\x80\x99s relationship with the child-care center in the update to the\nERP. The FDIC will also need an emergency plan for a new child-care center to be opened in\nVirginia Square in October 2006.\n\nDisabled Persons\n\nERPs should include procedures for the evacuation or sheltering of the handicapped and\nprocedures for persons with varying disabilities (i.e., vision, mobility, developmental, hearing).\nAccording to federal guidance, agencies are to address the emergency preparedness needs of\npeople with disabilities. Executive Order 13347, Individuals With Disabilities in Emergency\nPreparedness, dated July 22, 2004, sets forth policy that executive departments and agencies of\nthe Federal Government consider, in their emergency preparedness planning, the unique needs of\nagency employees with disabilities and individuals with disabilities whom the agency serves.\nDOL\xe2\x80\x99s ODEP also issued a publication, Effective Emergency Preparedness Planning:\nAddressing the Needs of Employees with Disabilities, dated August 2005, which noted that\nemergency preparedness plans should include people with disabilities, and in order to do so\n\n\n\n\n                                               15\n\x0ceffectively, organizations need to establish a process to fulfill requests from individuals with\ndisabilities for reasonable accommodations they may need in emergency situations.\n\nThe FDIC\xe2\x80\x99s ERP policy requires that ERPs address the special needs of the disabled, to include\nindividuals with mobility, hearing, or visual impairments. Each of the three ERPs we reviewed\ninstructs persons with permanent or temporary disabilities to contact their supervisor, Floor\nWardens, or security personnel if assistance is required in the event of an emergency. We found\nthat the HQ ERP also includes guidance and specific procedures for assisting persons with\nvarying disabilities. However, such guidance and procedures are not included in the regional\noffice ERPs and are not provided on the HQ emergency Web site. Consequently, information to\nassist disabled employees is not readily available for FDIC employees to plan for an emergency.\n\nTo determine whether the FDIC\xe2\x80\x99s ERPs provide adequate procedures covering disabled\nemployees, we reviewed ODEP-suggested guidance for elements to be included in emergency\nresponse planning for employees with disabilities. These considerations include providing\nprocedures for assisting persons with disabilities, establishing refuge areas and areas of rescue\nassistance, and installing alarms for the hearing impaired and tactile signage for those with vision\nimpairments. We concluded that, in general, the FDIC\xe2\x80\x99s ERPs are consistent with ODEP\nguidance; however, the two Regional Office ERPs we reviewed did not address certain ODEP\nconsiderations. Specifically, these ERPs do not contain procedures for assisting persons with\nvarious disabilities. We did note that the HQ ERP addresses such procedures and that the DRO\nand the NYRO ERPs contained provisions for buddies or Floor Wardens to assist those with\ndisabilities. However, the DRO and NYRO ERPs need to contain information for individuals\nwith disabilities so that disabled persons have guidance allowing them to properly plan for an\nemergency situation.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Director, DOA:\n\n(1) Work with senior FDIC executives to establish a strategy for ensuring their public support\nfor and involvement in ERPs.\n\n(2) Revise the ERP policy and individual ERPs, where appropriate, to address the following\nissues discussed in this report:\n\n   \xe2\x80\xa2   Documenting management review and approval of ERPs.\n   \xe2\x80\xa2   Updating ERPs on a regular basis.\n   \xe2\x80\xa2   Ensuring Floor Marshal/Warden assignments are kept current and Floor\n       Marshals/Wardens attend periodic training.\n   \xe2\x80\xa2   Communicating ERP information to employees.\n   \xe2\x80\xa2   Implementing an annual, mandatory ERP computer-based training course.\n   \xe2\x80\xa2   Conducting evacuation drills to include a process for evaluating the drill and obtaining\n       employee feedback.\n\n\n\n\n                                                16\n\x0c   \xe2\x80\xa2   Developing instructions for conducting a shelter-in-place and for the location,\n       distribution, and maintenance of food, water, and other emergency supplies.\n   \xe2\x80\xa2   Establishing procedures for handling serious injury or illness and informing employees of\n       procedures for obtaining medical supplies and first aid.\n   \xe2\x80\xa2   Ensuring the FDIC\xe2\x80\x99s ERPs address coordination between the child-care facility and the\n       FDIC before, during, and after an emergency.\n   \xe2\x80\xa2   Developing additional instructions for assisting persons with varying disabilities as is\n       included in the HQ ERP.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nThe Director, DOA, provided a written response, dated September 20, 2006, to a draft of this\nreport. DOA\xe2\x80\x99s response is presented in its entirety in Appendix II. DOA concurred with both of\nour recommendations. With respect to recommendation 1, which involved working with senior\nFDIC executives to establish a strategy for ensuring public support for and involvement in ERPs,\nwe confirmed that DOA\xe2\x80\x99s planned actions would include efforts to increase the involvement, and\nvisible support of senior FDIC leadership in emergency response planning.\n\nDOA\xe2\x80\x99s planned and initiated actions are responsive, and we consider both recommendations\nresolved. However, these recommendations will remain open until we have determined that\nagreed-to corrective actions have been completed and are effective. Appendix III presents a\nsummary of DOA\xe2\x80\x99s responses to our recommendations.\n\n\n\n\n                                              17\n\x0c                                                                                  APPENDIX I\n\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur original objective was to evaluate the extent of the FDIC\xe2\x80\x99s progress in developing and\nimplementing a comprehensive Emergency Operations Plan, which consists of the BCP and\nERPs. However, we limited the scope of this review to the ERPs. We plan to address the BCP\nin a future evaluation.\n\nOur revised objective was to evaluate the extent of the FDIC\xe2\x80\x99s progress in developing and\nimplementing comprehensive ERPs. The FDIC\xe2\x80\x99s ERP policy is included in FDIC Circular\n1500.5, FDIC Emergency Preparedness Program, dated December 28, 2004. Our evaluation\nfocused on internal aspects of the HQ, NYRO, and DRO ERPs (i.e., protection and safety of\nFDIC people and facilities) and not the external and interagency aspects. Our review also\nincluded an evaluation of Circular 1500.5, Section 6.c, which addresses ERP responsibilities and\nprogram guidelines. We conducted our evaluation from November 2005 through July 2006 in\naccordance with generally accepted government auditing standards.\n\nTo accomplish our objective, we performed the following:\n\n\xe2\x80\xa2   Reviewed the ERPs for HQ, dated September 12, 2003; for NYRO, dated December 1, 2005;\n    and for DRO, dated January 1, 2006.\n\xe2\x80\xa2   Reviewed FDIC Circular 1500.5, FDIC Emergency Preparedness Program, dated\n    December 28, 2004, which serves as the official policy for HQ and regional offices in\n    developing, implementing, and maintaining an FDIC Emergency Preparedness Program,\n    comprised of an ERP and BCP.\n\xe2\x80\xa2   Reviewed the HQ ERP shown on the FDIC\xe2\x80\x99s emergency response Web site.\n\xe2\x80\xa2   Reviewed Circular 1500.5 and the HQ, NYRO, and DRO ERPs to determine whether they\n    included selected items from the following federal agency guidance:\n            \xe2\x80\xa2 FEMA FPC 65 Federal Executive Branch Continuity of Operations.\n            \xe2\x80\xa2 GSA Occupant Emergency Program Guide, including child-care center guidance.\n            \xe2\x80\xa2 OSHA Standard 1910.38, Emergency Action Plans.\n            \xe2\x80\xa2 DOL-ODEP guidance, Effective Emergency Planning: Addressing the Needs of\n               Employees with Disabilities.\n\nWe also reviewed the following guidance:\n\n           \xe2\x80\xa2   President\xe2\x80\x99s Council on Integrity and Efficiency, Inspections and Evaluations\n               Roundtable, draft, Guide for Inspectors General on the Evaluation of Agency\n               Emergency Preparedness under the National Incident Management System\n               Framework (revised February 7, 2006).\n\n\xe2\x80\xa2   Reviewed the HQ, NYRO, and DRO emergency response programs to determine whether\n    they include selected best practices identified from the same federal agency guidance listed\n    above.\n\n\n\n\n                                               18\n\x0c                                                                                   APPENDIX I\n\n\n\n\xe2\x80\xa2   Reviewed the HQ, NYRO, and DRO ERPs and programs for the following:\n\n           \xe2\x80\xa2   Evacuation and shelter-in-place drills\n           \xe2\x80\xa2   Floor Warden assignments and training\n           \xe2\x80\xa2   Procedures for disabled employees\n           \xe2\x80\xa2   Food and water supplies\n           \xe2\x80\xa2   Communication of ERPs to FDIC employees\n           \xe2\x80\xa2   Coordination with other agencies\n           \xe2\x80\xa2   Security guard roles\n           \xe2\x80\xa2   First responders and first aid\n           \xe2\x80\xa2   Procedures for updating ERPs\n           \xe2\x80\xa2   Web site information\n           \xe2\x80\xa2   Child-care facilities\n\n\xe2\x80\xa2   Reviewed FDIC division ERPs included in the appendix to the HQ ERP to determine\n    whether the ERPs are up-to-date, complete, and consistent.\n\xe2\x80\xa2   Reviewed DOA Corporate Customer Satisfaction Survey results relative to emergency\n    response preparedness.\n\xe2\x80\xa2   Interviewed the following individuals to gain an understanding of the HQ, NYRO, and DRO\n    ERPs:\n           \xe2\x80\xa2 Assistant Director, SMS, DOA\n           \xe2\x80\xa2 Chief, Transportation Unit, DOA HQ\n           \xe2\x80\xa2 Securiguard Personnel\n           \xe2\x80\xa2 DOA Regional Manager, NYRO; and Corporate Services Branch managers and\n              other personnel at the NYRO and DRO.\n           \xe2\x80\xa2 Director, FDIC child-care center\n           \xe2\x80\xa2 Board Member, FDIC child-care center\n\nOur review did not include an assessment of the effectiveness of the HQ, NYRO, and DRO\nresponses in the event of an actual emergency.\n\nInternal Management Controls\n\nWe evaluated the effectiveness of controls in place for the implementation of the FDIC\xe2\x80\x99s\nemergency response process. These controls included the policies and procedures for the\ndevelopment, approval, maintenance, and testing of the FDIC\xe2\x80\x99s emergency response plans. In\nthe absence of written policies, we relied on interviews and information obtained from the\nAssistant Director, SMS, who is responsible for the FDIC\xe2\x80\x99s ERPs, as well as other SMS officials\nand NYRO and DRO representatives.\n\nCompliance with Laws and Regulations\n\nWe identified the following various laws, regulations, presidential directives, and agency\nguidance that were of potential relevance to this evaluation and obtained legal guidance on their\napplicability to the FDIC.\n\n\n\n                                               19\n\x0c                                                                                   APPENDIX I\n\n\n\n               \xe2\x80\xa2     The Homeland Security Act.\n               \xe2\x80\xa2     The Homeland Security Presidential Directives (Hspd):\n                       \xe2\x80\xa2 Hspd-3 Homeland Security Advisory System, dated March 11, 2002\n                       \xe2\x80\xa2 Hspd-5 Management of Domestic Incidents, dated February 28, 2003\n                       \xe2\x80\xa2 Hspd-7 Critical Infrastructure Identification, Prioritization, and\n                          Protection, dated December 17, 2003\n                       \xe2\x80\xa2 Hspd-8 National Preparedness, dated December 17, 2003\n           \xe2\x80\xa2       Department of Homeland Security\xe2\x80\x99s National Incident Management System and\n                   National Response Plan.\n           \xe2\x80\xa2       FEMA FPC 65, Federal Executive Branch Continuity of Operations.\n           \xe2\x80\xa2       OSHA Standard 1910.38, Emergency Action Plans.\n           \xe2\x80\xa2       GSA Occupant Emergency Program Guide, including child-care center guidance.\n           \xe2\x80\xa2       DOL-ODEP publication, Effective Emergency Planning: Addressing the Needs of\n                   Employees with Disabilities.\n           \xe2\x80\xa2       Executive Order 13347, Individuals With Disabilities in Emergency\n                   Preparedness, dated July 22, 2004.\n\nSome of the legal authorities, particularly the National Response Plan and the National Incident\nManagement System, dealt with external or interagency aspects of emergency response planning\nwhile this evaluation focused on the internal aspects of the ERPs (protecting FDIC employees\nand persons on FDIC property). Areas for improving compliance with the legal authorities or\nguidance that pertains to the internal aspect of emergency response planning are noted\nthroughout the report.\n\nRegarding the legal authorities or guidance cited in the report, the FDIC\xe2\x80\x99s policy is to be\nconsistent with the requirements of FPC 65; the guidance from OSHA, GSA, and DOL is not\nbinding on the FDIC, but we are presenting them as best practices for the FDIC to consider.\nExecutive Order 13347 sets forth general policies that would be prudent for the FDIC to consider\nwhen performing its emergency-preparedness planning relative to individuals with disabilities.\n\nGovernment Performance and Results Act, Computer-Based Data, and Fraud or Illegal\nActs\n\nThe Government Performance and Results Act of 1993 directs federal agencies to develop a\nstrategic plan, align agency programs and activities with concrete missions and goals, manage\nand measure results, and design budgets that reflect strategic missions. We confirmed that the\nFDIC Strategic Plan 2005-2010, FDIC 2005 Annual Performance Plan, and FDIC 2006 Annual\nPerformance Plan include references to or initiatives related to the FDIC\xe2\x80\x99s Emergency\nPreparedness Program, which we considered as part of our evaluation of management\xe2\x80\x99s support\nfor ERP.\n\nWe did not rely on the accuracy of computer-based data to perform this evaluation. Not performing\nassessments of computer-based data did not affect the results of our evaluation.\n\nOur evaluation program included steps for providing reasonable assurance of detecting fraud or\nillegal acts, and none were detected.\n\n\n                                                20\n\x0cAppendix II\n\x0c     APPENDIX II\n\n\n\n\n22\n\x0c     APPENDIX II\n\n\n\n\n23\n\x0c     APPENDIX II\n\n\n\n\n24\n\x0c     APPENDIX II\n\n\n\n\n25\n\x0c                                                                                                                   APPENDIX III\n\n\n\n\n                                    MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n\nThis table presents the management responses on the recommendations in our report and the status of the recommendations as of the\ndate of report issuance.\n\n\n Rec.           Corrective Action: Taken or Planned/Status                Expected        Monetary   Resolved: a    Open or\nNumber                                                                 Completion Date    Benefits   Yes or No      Closedb\n  1         FDIC senior management has taken steps to increase\n            awareness and preparedness among FDIC staff by             October 30, 2006      $0            Yes       Open\n            establishing comprehensive policy and plans, strategic\n            planning initiatives, table top exercises and Quarterly\n            Status Reports for the Emergency Preparedness\n            Program. The FDIC will continue to stress to all senior\n            managers the importance of the ERP and ask them to\n            include emergency preparedness in their discussions at\n            various division and office meetings as a way to\n            increase awareness.\n\n            We also confirmed that DOA\xe2\x80\x99s planned actions would\n            include efforts to increase the involvement, and visible\n            support, of senior FDIC leadership in emergency\n            response planning.\n\n    2       DOA will take actions related to each of the areas\n            identified in the recommendation, including:               October 30, 2006      $0      Yes           Open\n\n            \xe2\x80\xa2   documenting management review and approval of\n                ERPs;\n            \xe2\x80\xa2   updating ERPs on a regular basis;\n            \xe2\x80\xa2   ensuring Floor Marshal/Warden assignments are\n                kept current;\n            \xe2\x80\xa2   communicating ERP information to employees;\n\n\n                                                                       26\n\x0c                                                                                                                                               APPENDIX III\n\n\n\n     Rec.             Corrective Action: Taken or Planned/Status                     Expected                Monetary          Resolved: a     Open or\n    Number                                                                        Completion Date            Benefits          Yes or No       Closedb\n                 \xe2\x80\xa2    implementing an annual, mandatory ERP\n                      computer-based training course;\n                 \xe2\x80\xa2    conducting evacuation drills to include a process\n                      for evaluating drills and obtaining employee\n                      feedback;\n                 \xe2\x80\xa2    developing instructions for conducting a shelter-in-\n                      place and for the location, distribution, and\n                      maintenance of energy and supplies;\n                 \xe2\x80\xa2    establishing procedures for handling serious injury\n                      or illness and informing employees of procedures\n                      for obtaining medical supplies and first aid;\n                 \xe2\x80\xa2    ensuring the FDIC\xe2\x80\x99s ERPs address coordination\n                      between the child-care center and the FDIC; and\n                 \xe2\x80\xa2    developing additional instructions for assisting\n                      persons with varying disabilities.\na\n    Resolved: (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                  as management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                                  27\n\x0c"